#1026: Spam filtering on domain age. And ASN!

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.

  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Philip

Philip

Incorrigible Inquisitor
Sep 28, 2020
25
3
UK
In #1026 Steve read a suggestion from Shaun Michelson that the age of the From: domain would make a good spam metric. (Until, of course, the spammers started pre-registering domains for use a day later than the cut-off!)

In my analysis of a spam campaign that irked me a year or two back, I found that the commonality between all the spam emails was the originating ASN.

Some means of filtering emails on that could be very effective as finding an alternative spam-friendly ASN isn’t something they’d want to do unless they had to.
 
Basically what I do is,

a) Only properly registered (in DNS) hosts can connect to my SMTP port.
b) The gateway runs a Bayesian filter which flags the rest. Those flagged go into a spam folder.
c) My Postfix server also filters based on from address and subject line.
d) The few that do get through are used to train the Bayesian filter.

From domain does not work as quite a few of them come from one of my domains, gmail, or other legitimate sources.
 
The From: address and its domain is the easiest thing in the world to spoof, so from a superficial glance, spam can easily appear to come from Gmail.

Take a look at the full headers and find the earliest with a public (non RFC1918) IP address, e.g.
Received: from mossane.bond (ocolas.lat [51.195.235.232])
by mail.konnecen.casa (Postfix) with ESMTPA id 85EAE663D2;
Fri, 17 Jan 2025 03:06:23 +0200 (EET)

IP to ASN look-up on 194.39.204.19 reveals that it belongs to AS16276. This is the same as a significant number of other spam emails which otherwise have nothing definite in common.

You'll probably find that most of your spam comes from just a handful of spammy ASNs.
 
You must log in or register to reply here.

Similar threads

D
SN1009 - real goals of age verification
Replies
1
Views
473
Security Now Podcast
user
U
Mike Legatt
Fun Human and Organizational Performance (HOP) Images
Replies
6
Views
717
Security Now Podcast
Badrod
B
F
Tailscale WAN Port and pfSense
Replies
1
Views
693
Security Now Podcast
PHolder
P
H
AI Talk on SN
Replies
0
Views
423
Security Now Podcast
Harry
H
D
On AI/AGI interpretation
Replies
0
Views
448
Security Now Podcast
dusanmal
D
Top Bottom
Back